San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold War
export restrictions on the privacy technology called cryptography. Her
decision knocks out a major part of the Clinton Administration's
effort to force companies to build "wiretap-ready" computers,
set-top boxes, telephones, and consumer electronics.

The decision is a victory for free speech, academic freedom, and the
prevention of crime. American scientists and engineers will now be
free to collaborate with their peers in the United States and in other
countries. This will enable them to build a new generation of tools
for protecting the privacy and security of communications.

The Clinton Administration has been using the export restrictions to goad
companies into building wiretap-ready "key recovery" technology. In a
November Executive Order, President Clinton offered limited
administrative exemptions from these restrictions to companies which
agree to undermine the privacy of their customers. Federal District
Judge Patel's ruling knocks both the carrot and the stick out of
Clinton's hand, because the restrictions were unconstitutional in the
first place.

The Cold War law and regulations at issue in the case prevented
American researchers and companies from exporting cryptographic
software and hardware. Export is normally thought of as the physical
carrying of an object across a national border. However, the
regulations define "export" to include simple publication in the U.S.,
as well as discussions with foreigners inside the U.S. They also define
"software" to include printed English-language descriptions and
diagrams, as well as the traditional machine-readable object code and
human-readable source code.

The secretive National Security Agency has built up an arcane web of
complex and confusing laws, regulations, standards, and secret
interpretations for years. These are used to force, persuade, or
confuse individuals, companies, and government departments into making
it easy for NSA to wiretap and decode all kinds of communications.
Their tendrils reach deep into the White House, into numerous Federal
agencies, and into the Congressional Intelligence Committees. In
recent years this web is unraveling in the face of increasing
visibility, vocal public disagreement with the spy agency's goals,
commercial and political pressure, and judicial scrutiny.

Civil libertarians have long argued that encryption should be widely
deployed on the Internet and throughout society to protect privacy,
prove the authenticity of transactions, and improve computer security.
Industry has argued that the restrictions hobble them in building
secure products, both for U.S. and worldwide use, risking America's
current dominant position in computer technology. Government
officials in the FBI and NSA argue that the technology is too
dangerous to permit citizens to use it, because it provides privacy to
criminals as well as ordinary citizens.

"We're pleased that Judge Patel understands that our national security
requires protecting our basic rights of free speech and privacy," said
John Gilmore, co-founder of the Electronic Frontier Foundation, which
backed the suit. "There's no sense in `burning the Constitution in
order to save it'. The secretive bureaucrats who have restricted these
rights for decades in the name of national security must come to a
larger understanding of how to support and preserve our democracy."

Reactions to the decision

"This is a positive sign in the crypto wars -- the first rational
statement concerning crypto policy to come out of any part of the
government," said Jim Bidzos, President of RSA Data Security, one of
the companies most affected by crypto policy.

"It's nice to see that the executive branch does not get to decide
whether we have the right of free speech," said Philip Zimmermann,
Chairman of PGP, Inc. "It shows that my own common sense
interpretation of the constitution was correct five years ago when I
thought it was safe to publish my own software, PGP. If only US
Customs had seen it that way." Mr. Zimmermann is a civil libertarian
who was investigated by the government under these laws when he wrote
and gave away a program for protecting the privacy of e-mail. His
"Pretty Good Privacy" program is used by human rights activists
worldwide to protect their workers and informants from torture and
murder by their own countries' secret police.

Jerry Berman, Executive Director of the Center for Democracy and
Technology, a Washington-based Internet advocacy group, hailed the
victory. "The Bernstein ruling illustrates that the Administration
continues to embrace an encryption policy that is not only unwise, but
also unconstitutional. We congratulate Dan Bernstein, the Electronic
Frontier Foundation, and all of the supporters who made this victory
for free speech and privacy on the Internet possible."

"The ability to publish is required in any vibrant academic discipline,"
This ruling re-affirming our obvious academic right will help American
researchers publish without worrying," said Bruce Schneier, author of
the popular textbook _Applied Cryptography_, and a director of the
International Association for Cryptologic Research, a professional
organization of cryptographers.

Kevin McCurley, President of the International Association for
Cryptologic Research, said, "Basic research to further the
understanding of fundamental notions in information should be welcomed
by our society. The expression of such work is closely related to one
of the fundamental values of our society, namely freedom of speech."

Background on the case

The plaintiff in the case, Daniel J. Bernstein, Research Assistant
Professor at the University of Illinois at Chicago, developed an
"encryption algorithm" (a recipe or set of instructions) that he
wanted to publish in printed journals as well as on the Internet.
Bernstein sued the government, claiming that the government's
requirements that he register as an arms dealer and seek government
permission before publication was a violation of his First Amendment
right of free speech. This is required by the Arms Export Control Act
and its implementing regulations, the International Traffic in Arms
Regulations.

In the first phase of this litigation, the government argued that
since Bernstein's ideas were expressed, in part, in computer language
(source code), they were not protected by the First Amendment. On
April 15, 1996, Judge Patel rejected that argument and held for the
first time that computer source code is protected speech for purposes
of the First Amendment.

Details of Monday's Decision

Judge Patel ruled that the Arms Export Control Act is a prior restraint
on speech, because it requires Bernstein to apply for and obtain from
the government a license to publish his ideas. Using the Pentagon
Papers case as precedent, she ruled that the government's "interest of
national security alone does not justify a prior restraint."

Judge Patel also held that the government's required licensing
procedure fails to provide adequate procedural safeguards. When the
Government acts legally to suppress protected speech, it must reduce
the chance of illegal censorship by the bureacrats involved -- in this
case, the State Department's Office of Defense Trade Controls. Her
decision states, "Because the ITAR licensing scheme fails to provide
for a time limit on the licensing decision, for prompt judicial review
and for a duty on the part of the ODTC to go to court and defend a
denial of a license, the ITAR licensing scheme as applied to Category
XIII(b) acts as an unconstitutional prior restraint in violation of the
First Amendment." Professor Bernstein is now free to publish his ideas
without asking the government's permission first.

She also ruled that the export controls restrict speech based on the
content of the speech, not for any other reason. "Category XIII(b) is
directed very specifically at applied scientific research and speech on
the topic of encryption." The Government had argued that it restricts
the speech because of its function, not its content.

The judge also found that the ITAR is vague, because it does not
adequately define how information that is available to the public
"through fundamental research in science and engineering" is exempt
from the export restrictions. "This subsection ... does not give
people ... a reasonable opportunity to know what is prohibited." The
failure to precisely define what objects and actions are being
regulated creates confusion and a chilling effect. Bernstein has been
unable to publish his encryption algorithm for over four years. Many
other cryptographers and ordinary programmers have also been restrained
from publishing because of the vagueness of the ITAR. Brian
Behlendorf, a maintainer of the popular public domain "Apache" web
server program, stated, "No cryptographic source code was ever
distributed by the Apache project. Despite this, the Apache server
code was deemed by the NSA to violate the ITAR." Judge Patel also
adopted a narrower definition of the term "defense article" in order to
save it from unconstitutional vagueness.

The immediate effect of this decision is that Bernstein now is free to
teach his January 13th cryptography class in his usual way. He can
post his class materials on the Internet, and discuss the upcoming
class's materials with other professors, without being held in
violation of the ITAR. "I'm very pleased," Bernstein said. "Now I
won't have to tell my students to burn their notebooks."

It is unclear exactly where Judge Patel's decision applies -- in the
Northern District of California (containing San Francisco and Silicon
Valley) or throughout the country. Check with your own lawyer if
you contemplate taking action based on the decision.

It is not yet clear from the decision whether the export controls on
object code (the executable form of computer programs which source
code is automatically translated into) have been overturned. It may
be that existing export controls will continue to apply to runnable
software products, such as Netscape's browser, until another court
case challenges that part of the restrictions.

Related Updates

Today, the the Trump Administration announced the decertification of the Iranian nuclear deal agreed by the previous administration. It's the strongest sign of many showing that the U.S. government intends to take a new and more confrontational line against Iran.
But long before the decertification, tech companies were making...

Cisco custom-built the so-called “Great Firewall of China,” also known as the “Golden Shield.” This system enables the Chinese government to conduct Internet surveillance and censorship against its citizens. As if that weren’t bad enough, company documents also revealed that, as part of its marketing pitch to China and in...

“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”

“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”

This week, the U.S. Department of State’s Defense Trade Advisory Group (DTAG) met to decide whether to classify “cyber products” as munitions, placing them in the same export control regime as hand grenades and fighter planes. Thankfully, common sense won out and the DTAG recommended that “cyber products” not be...

Stanford, California—On Wednesday, October 21, at 12:45 pm, the Electronic Frontier Foundation (EFF) will urge a federal appeals court to order the U.S. government to disclose information about its role in facilitating exports of American-made surveillance tools to foreign nations. The hearing is part of a Freedom of Information Act...

EFF filed a Freedom of Information Act (FOIA) lawsuit against the U.S. Department of Commerce (DOC) in 2012 seeking export license applications for "surreptitious listening equipment" submitted since 2006. This category of regulated technology is used primarily for wiretapping and EFF filed the lawsuit after the DOC released just two...

Readers of these pages will be familiar with the debate going on between government officials and technologists around the world about law enforcement’s perceived need to access the content of any and all encrypted communications....

The Electronic Frontier Foundation, Symantec, and many other organizations are concerned about the effect of the new regulations on companies that use or provide penetration testing or network monitoring tools, as well as on security research in general.
"We think it's a terrible idea," said Cindy Cohn, executive director...